THREESCALE-12434: Migrate from protected attributes to strong parameters - Part 2#4249
THREESCALE-12434: Migrate from protected attributes to strong parameters - Part 2#4249mayorova wants to merge 43 commits intostrong-params-part1from
Conversation
jlledom
left a comment
jlledom
left a comment
There was a problem hiding this comment.
Some comments come from the other PR. Also, I still see a lot of
| def update_resource(user, attributes) | ||
| attributes.each do |attrs| | ||
| user.attributes = filter_readonly_params(attrs, User) | ||
| user.attributes = filter_readonly_params(attrs, User).permit! |
There was a problem hiding this comment.
All permitted here? is that expected?
There was a problem hiding this comment.
Not good 😅 I guess it was some temporary thing, I'll need to fix it.
There was a problem hiding this comment.
Maybe we should list permitted attributes here instead of permitting everything.
There was a problem hiding this comment.
Yeah... this didn't break after removing the attr_accessible, so I missed it, I guess.
There was a problem hiding this comment.
I think I removed the update_resource method from that controller anyway!
There was a problem hiding this comment.
Yes, great, it was just an example of which parameters were supposed to be permitted.
| class CreateInvitedUser < Procedure | ||
|
|
||
| def call | ||
| user = invitation.make_user(user_data.to_hash) |
There was a problem hiding this comment.
Where is user_data permitted?
There was a problem hiding this comment.
So, honestly, I didn't dig too deep into the OAuth flows, but in general user_data is some data that is returned from the OAuth server, when authenticated via a third-party, see https://github.com/3scale/porta/blob/master/app/lib/three_scale/oauth2/user_data.rb#L8-L20 for its possible fields.
In this case specifically, .to_hash is applied, so the data is reduced to a hash with two fields - :username and :email. As it's a plain hash (not ActionController::Params), there is no need to permit.
mayorova
force-pushed
the
strong-params-part2
branch
2 times, most recently
from
38e277c to
db25ecf
Compare
| @account_params ||= begin | ||
| defined_fields_names = buyer_account.defined_fields_names | ||
| allowed_attrs = defined_fields_names - %w(billing_address) + %w(name) | ||
| nested_params = { extra_fields: buyer_account.defined_extra_fields_names } |
There was a problem hiding this comment.
So, this is different from other API controller, which have only plain parameters, i.e. not nested under extra_fields.
I only did this because there was an existing test in test/integration/admin/api/accounts_controller_test.rb which was passing extra params in this way:
params: update_params.merge(extra_fields: { my_field: 4 })
I also added a check that plain parameters would also work.
Now I'm not sure if other API controllers need to accept both ways too 🤔
mayorova
force-pushed
the
strong-params-part2
branch
4 times, most recently
from
070a9e0 to
d8e75bc
Compare
Co-authored-by: Daria Mayorova <mayorova@users.noreply.github.com>
mayorova
force-pushed
the
strong-params-part2
branch
from
6887355 to
c7bf8ef
Compare
Co-authored-by: Daria Mayorova <mayorova@users.noreply.github.com>
mayorova
force-pushed
the
strong-params-part2
branch
from
a676b21 to
8b5a6de
Compare
mayorova
changed the title
mayorova
force-pushed
the
strong-params-part1
branch
from
0b8ead4 to
6c69623
Compare
mayorova
force-pushed
the
strong-params-part2
branch
2 times, most recently
from
df4ba51 to
498f50b
Compare
mayorova
force-pushed
the
strong-params-part2
branch
from
498f50b to
706cacb
Compare
mayorova
force-pushed
the
strong-params-part1
branch
2 times, most recently
from
bf3524b to
a08b299
Compare
2 participants
What this PR does / why we need it:
This is part 2 of the migration from protected attributes to strong parameters. See the first part in #4248
Protected attributes is an old Rails feature which was deprecated a long time ago. We were using protected_attributes_continued gem to keep it working, but now it's also discontinued and does not support Rails 7+, so it's a blocker for upgrading to Rails 7.2 for us.
This Part 2 handles the models that can have custom attributes through FieldsDefinitions - Account, User, Cinstance.
Which issue(s) this PR fixes
https://redhat.atlassian.net/browse/THREESCALE-12434
Verification steps
All tests should pass, and all features should work as before.
Special notes for your reviewer: